Hijack Help...Weird virus.

monami92 · 17 Dec 2011

Wussup guys, so I actually posted something earlier about the help I needed for this virus where voices have been playing on my computer while none of the browsers were open. The talking voice basically talks about the advertisement about Netflix, firefox and internet explorer and how it is trending right now. I actually did the whole Malware, Hijack and CCleaner, but a few days ago, the laptop crashed on me. The screen turned all black, and the only thing that I could access was Microsoft word and the Recycle bin. Every other file says "Empty" so nothing could be opened but those two. So I basically ran Hijack....So I'd really appreciate it if someone could tell me what's wrong and what I should be safely deleting. And what the problem is. Thanks a bunch guys.

Code:

 
Logfile of HijackThis v1.99.1
Scan saved at 11:47:46 AM, on 17/12/2011
Platform: Unknown Windows (WinNT 6.01.3504)
MSIE: Internet Explorer v8.00 (8.00.7600.16912)
 
Running processes:
C:\windows\Explorer.EXE
C:\windows\system32\ctfmon.exe
E:\HijackThis.exe
 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,SearchAssistant = 
R0 - HKLM\Software\Microsoft\Internet Explorer\Search,CustomizeSearch = 
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: RealPlayer Download and Record Plugin for Internet Explorer - {3049C3E9-B461-4BC5-8870-4C09146192CA} - C:\ProgramData\Real\RealPlayer\BrowserRecordPlugin\IE\rpbrowserrecordplugin.dll
O2 - BHO: Spybot-S&D IE Protection - {53707962-6F74-2D53-2644-206D7942484F} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O2 - BHO: Groove GFS Browser Helper - {72853161-30C5-4D22-B7F9-0BBC1D38A37E} - C:\Program Files\Microsoft Office\Office12\GrooveShellExtensions.dll
O2 - BHO: Java(tm) Plug-In 2 SSV Helper - {DBC80044-A445-435b-BC74-9C25C1C588A9} - C:\Program Files\Java\jre6\bin\jp2ssv.dll
O2 - BHO: TOSHIBA Media Controller Plug-in - {F3C88694-EFFA-4d78-B409-54B7B2535B14} - C:\Program Files\TOSHIBA\TOSHIBA Media Controller Plug-in\TOSHIBAMediaControllerIE.dll
O2 - BHO: YouTube Downloader Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.8\youtubedownloaderToolbarIE.dll
O3 - Toolbar: YouTube Downloader Toolbar - {F3FEE66E-E034-436a-86E4-9690573BEE8A} - C:\Program Files\YouTube Downloader Toolbar\IE\4.8\youtubedownloaderToolbarIE.dll
O4 - HKLM\..\Run: [cAudioFilterAgent] C:\Program Files\Conexant\cAudioFilterAgent\cAudioFilterAgent.exe
O4 - HKLM\..\Run: [TPwrMain] %ProgramFiles%\TOSHIBA\Power Saver\TPwrMain.EXE
O4 - HKLM\..\Run: [00TCrdMain] %ProgramFiles%\TOSHIBA\FlashCards\TCrdMain.exe
O4 - HKLM\..\Run: [TWebCamera] "C:\Program Files\TOSHIBA\TOSHIBA Web Camera Application\TWebCamera.exe" autorun
O4 - HKLM\..\Run: [SmartFaceVWatcher] %ProgramFiles%\Toshiba\SmartFaceV\SmartFaceVWatcher.exe
O4 - HKLM\..\Run: [TosSENotify] C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosWaitSrv.exe
O4 - HKLM\..\Run: [ToshibaServiceStation] C:\Program Files\TOSHIBA\TOSHIBA Service Station\ToshibaServiceStation.exe /hide:60
O4 - HKLM\..\Run: [Teco] "%ProgramFiles%\TOSHIBA\TECO\Teco.exe" /r
O4 - HKLM\..\Run: [TosWaitSrv] %ProgramFiles%\TOSHIBA\TPHM\TosWaitSrv.exe
O4 - HKLM\..\Run: [TosVolRegulator] C:\Program Files\TOSHIBA\TosVolRegulator\TosVolRegulator.exe
O4 - HKLM\..\Run: [TosReelTimeMonitor] %ProgramFiles%\TOSHIBA\ReelTime\TosReelTimeMonitor.exe
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Common Files\Java\Java Update\jusched.exe"
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [Adobe ARM] "C:\Program Files\Common Files\Adobe\ARM\1.0\AdobeARM.exe"
O4 - HKLM\..\Run: [GrooveMonitor] "C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe"
O4 - HKLM\..\Run: [RIMBBLaunchAgent.exe] C:\Program Files\Common Files\Research In Motion\USB Drivers\RIMBBLaunchAgent.exe
O4 - HKLM\..\Run: [Malwarebytes' Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [TosNC] %ProgramFiles%\Toshiba\BulletinBoard\TosNcCore.exe
O4 - HKLM\..\Run: [Malwarebytes Anti-Malware (reboot)] "C:\Program Files\Malwarebytes' Anti-Malware\mbam.exe" /runcleanupscript
O4 - HKLM\..\Run: [DivXUpdate] "C:\Program Files\DivX\DivX Update\DivXUpdate.exe" /CHECKNOW
O4 - HKCU\..\Run: [Pando Media Booster] C:\Program Files\Pando Networks\Media Booster\PMB.exe
O4 - HKCU\..\Run: [SpybotSD TeaTimer] C:\Program Files\Spybot - Search & Destroy\TeaTimer.exe
O4 - HKCU\..\Run: [Google Update] "C:\Users\Francois\AppData\Local\Google\Update\GoogleUpdate.exe" /c
O4 - HKCU\..\Run: [WJMWgUJVYTPq.exe] C:\ProgramData\WJMWgUJVYTPq.exe
O4 - Startup: OneNote 2007 Screen Clipper and Launcher.lnk = C:\Program Files\Microsoft Office\Office12\ONENOTEM.EXE
O4 - Startup: RollerCoaster Tycoon 3_ Wild Registration.lnk = C:\Users\Francois\AppData\Local\Temp\{7F3ACAAB-AFC7-42AE-B85E-08522BB42739}\{45653847-497F-47BB-A878-46FBDE34A3E0}\ATR1.exe
O9 - Extra button: Send to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra 'Tools' menuitem: S&end to OneNote - {2670000A-7350-4f3c-8081-5663EE0C6C49} - C:\PROGRA~1\MIF5BA~1\Office12\ONBttnIE.dll
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MIF5BA~1\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O9 - Extra 'Tools' menuitem: Spybot - Search & Destroy Configuration - {DFB852A3-47F8-48C4-A200-58CAB36FD2A2} - C:\PROGRA~1\SPYBOT~1\SDHelper.dll
O11 - Options group: [INTERNATIONAL] International
O13 - Gopher Prefix: 
O18 - Protocol: livecall - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: ms-help - {314111C7-A502-11D2-BBCA-00C04F8EC294} - C:\Program Files\Common Files\Microsoft Shared\Help\hxds.dll
O18 - Protocol: msnim - {828030A1-22C1-4009-854F-8E305202313F} - C:\PROGRA~1\WIC4A1~1\MESSEN~1\MSGRAP~1.DLL
O18 - Protocol: wlmailhtml - {03C514A3-1EFB-4856-9F99-10D7BE1653C0} - C:\Program Files\Windows Live\Mail\mailcomm.dll
O18 - Filter hijack: text/xml - {807563E5-5146-11D5-A672-00B0D022E945} - C:\PROGRA~1\COMMON~1\MICROS~1\OFFICE12\MSOXMLMF.DLL
O20 - Winlogon Notify: igfxcui - C:\windows\SYSTEM32\igfxdev.dll
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\AppleMobileDeviceService.exe
O23 - Service: Application Updater - Spigot, Inc. - C:\Program Files\Application Updater\ApplicationUpdater.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: ConfigFree WiMAX Service (cfWiMAXService) - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFIWmxSvcs.exe
O23 - Service: ConfigFree Service - TOSHIBA CORPORATION - C:\Program Files\TOSHIBA\ConfigFree\CFSvcs.exe
O23 - Service: Google Update Service (gupdate) (gupdate) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: Google Update Service (gupdatem) (gupdatem) - Google Inc. - C:\Program Files\Google\Update\GoogleUpdate.exe
O23 - Service: InstallDriver Table Manager (IDriverT) - Macrovision Corporation - C:\Program Files\Common Files\InstallShield\Driver\1050\Intel 32\IDriverT.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: Intel(R) Management and Security Application Local Management Service (LMS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\LMS\LMS.exe
O23 - Service: McAfee Security Scan Component Host Service (McComponentHostService) - McAfee, Inc. - C:\Program Files\McAfee Security Scan\2.0.189\McCHSvc.exe
O23 - Service: @%SystemRoot%\system32\qwave.dll,-1 (QWAVE) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: SBSD Security Center Service (SBSDWSCService) - Safer Networking Ltd. - C:\Program Files\Spybot - Search & Destroy\SDWinSec.exe
O23 - Service: @%SystemRoot%\system32\seclogon.dll,-7001 (seclogon) - Unknown owner - %windir%\system32\svchost.exe (file missing)
O23 - Service: TMachInfo - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA Service Station\TMachInfo.exe
O23 - Service: TOSHIBA Optical Disc Drive Service (TODDSrv) - TOSHIBA Corporation - C:\windows\system32\TODDSrv.exe
O23 - Service: TOSHIBA Power Saver (TosCoSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\Power Saver\TosCoSrv.exe
O23 - Service: TOSHIBA eco Utility Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TECO\TecoService.exe
O23 - Service: TOSHIBA HDD SSD Alert Service - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TOSHIBA HDD SSD Alert\TosSmartSrv.exe
O23 - Service: TPCH Service (TPCHSrv) - TOSHIBA Corporation - C:\Program Files\TOSHIBA\TPHM\TPCHSrv.exe
O23 - Service: Intel(R) Management & Security Application User Notification Service (UNS) - Intel Corporation - C:\Program Files\Intel\Intel(R) Management Engine Components\UNS\UNS.exe
O23 - Service: @%PROGRAMFILES%\Windows Media Player\wmpnetwk.exe,-101 (WMPNetworkSvc) - Unknown owner - %PROGRAMFILES%\Windows Media Player\wmpnetwk.exe (file missing)

GianniDPC · 17 Dec 2011

Hey, monami92

Run this: Downloads - SurfRight
and after that this: Malwarebytes : Free anti-malware, anti-virus and spyware removal download

And report back :)

PS: if you can't run it in normal mode do safe mode (press F8 while booting the pc)

Borg 386 · 17 Dec 2011

O4 - HKCU\..\Run: [WJMWgUJVYTPq.exe] C:\ProgramData\WJMWgUJVYTPq.exe

WJMWGUJVYTPQ.EXE
Trojan.Agent/Gen-FakeAV

WJMWGUJVYTPQ.EXE - Trojan.Agent/Gen-FakeAV | SUPERAntiSpyware

Suggest you d/l SuperAntiSpyware and see if that can clean the infection. If the virus will not let you access the site or run the file, you can either run RKill and attempt to d/l it again or d/l the portable version of SuperAntiSpyware (from another PC if access is still denied) and save to a FD. Plug the FD into the infected computer & attempt to run it.

SuperAntiSpyware Portable Version - Please note : The scanner is saved under a random filename so that malware infections won't block the scanner.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

It appears some of your files may have been damaged by the virus. After verifying you have rid the PC of the virus, you should do a SFC to see if that will repair the files.

SFC /SCANNOW Command - System File Checker

If this does not, you may have to do a repair install.

Repair Install

monami92 · 17 Dec 2011

GianniDPC said:

Hey, monami92

Run this: Downloads - SurfRight
and after that this: Malwarebytes : Free anti-malware, anti-virus and spyware removal download

And report back :)

PS: if you can't run it in normal mode do safe mode (press F8 while booting the pc)

Hey GianniDPC,

So I ran it through SurfRight first, but there is no save log option. Didchu want me to type them out or some?
But for the malware. HEre it is.

Malwarebytes' Anti-Malware 1.51.2.1300
Malwarebytes : Free anti-malware, anti-virus and spyware removal download

Database version: 8388

Windows 6.1.7600
Internet Explorer 8.0.7600.16385

17/12/2011 5:31:05 PM
mbam-log-2011-12-17 (17-30-59).txt

Scan type: Full scan (C:\|D:\|E:\|)
Objects scanned: 389596
Time elapsed: 2 hour(s), 24 minute(s), 20 second(s)

Memory Processes Infected: 2
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 1
Registry Data Items Infected: 2
Folders Infected: 0
Files Infected: 3

Memory Processes Infected:
c:\programdata\wjmwgujvytpq.exe (Trojan.Agent) -> 3200 -> No action taken.
c:\programdata\0x9ucmapwsmuwb.exe (Trojan.Agent) -> 4708 -> No action taken.

Memory Modules Infected:
(No malicious items detected)

Registry Keys Infected:
(No malicious items detected)

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJMWgUJVYTPq.exe (Trojan.Agent) -> Value: WJMWgUJVYTPq.exe -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Folders Infected:
(No malicious items detected)

Files Infected:
c:\programdata\wjmwgujvytpq.exe (Trojan.Agent) -> No action taken.
c:\programdata\0x9ucmapwsmuwb.exe (Trojan.Agent) -> No action taken.
c:\Users\Francois\AppData\LocalLow\Sun\Java\deployment\cache\6.0\17\73f42791-715415c2 (Trojan.Agent) -> No action taken.

monami92 · 17 Dec 2011

Borg 386 said:

O4 - HKCU\..\Run: [WJMWgUJVYTPq.exe] C:\ProgramData\WJMWgUJVYTPq.exe

WJMWGUJVYTPQ.EXE
Trojan.Agent/Gen-FakeAV

WJMWGUJVYTPQ.EXE - Trojan.Agent/Gen-FakeAV | SUPERAntiSpyware

Suggest you d/l SuperAntiSpyware and see if that can clean the infection. If the virus will not let you access the site or run the file, you can either run RKill and attempt to d/l it again or d/l the portable version of SuperAntiSpyware (from another PC if access is still denied) and save to a FD. Plug the FD into the infected computer & attempt to run it.

SuperAntiSpyware Portable Version - Please note : The scanner is saved under a random filename so that malware infections won't block the scanner.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

It appears some of your files may have been damaged by the virus. After verifying you have rid the PC of the virus, you should do a SFC to see if that will repair the files.

SFC /SCANNOW Command - System File Checker

If this does not, you may have to do a repair install.

Repair Install

Hi there, so should I be trying to delete O4 - HKCU\..\Run: [WJMWgUJVYTPq.exe] C:\ProgramData\WJMWgUJVYTPq.exe off hijack? But i will run it though SuperAntiSpyware. Thanks

GianniDPC · 18 Dec 2011

monami92 said:

Borg 386 said:

O4 - HKCU\..\Run: [WJMWgUJVYTPq.exe] C:\ProgramData\WJMWgUJVYTPq.exe

WJMWGUJVYTPQ.EXE
Trojan.Agent/Gen-FakeAV

WJMWGUJVYTPQ.EXE - Trojan.Agent/Gen-FakeAV | SUPERAntiSpyware

Suggest you d/l SuperAntiSpyware and see if that can clean the infection. If the virus will not let you access the site or run the file, you can either run RKill and attempt to d/l it again or d/l the portable version of SuperAntiSpyware (from another PC if access is still denied) and save to a FD. Plug the FD into the infected computer & attempt to run it.

As RKill only terminates a program's running process, and does not delete any files, after running it you should not reboot your computer as any malware processes that are configured to start automatically will just be started again. Instead, after running RKill you should immediately scan your computer using some sort of anti-malware or anti-virus program so that the infections can be properly removed.

It appears some of your files may have been damaged by the virus. After verifying you have rid the PC of the virus, you should do a SFC to see if that will repair the files.

SFC /SCANNOW Command - System File Checker

If this does not, you may have to do a repair install.

Repair Install

Hi there, so should I be trying to delete O4 - HKCU\..\Run: [WJMWgUJVYTPq.exe] C:\ProgramData\WJMWgUJVYTPq.exe off hijack? But i will run it though SuperAntiSpyware. Thanks

No ! if you deleted all the infected files with MBAM than your fine but still run a Hitman scan please (just to be sure it's ok) (and logs are at Settings>History) :)

Borg 386 · 18 Dec 2011

Memory Processes Infected:
c:\programdata\wjmwgujvytpq.exe (Trojan.Agent) -> 3200 -> No action taken.
c:\programdata\0x9ucmapwsmuwb.exe (Trojan.Agent) -> 4708 -> No action taken.

Registry Values Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WJMWgUJVYTPq.exe (Trojan.Agent) -> Value: WJMWgUJVYTPq.exe -> No action taken.

Registry Data Items Infected:
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowMyComputer (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.
HKEY_CURRENT_USER\SOFTWARE\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Start_ShowSearch (PUM.Hijack.StartMenu) -> Bad: (0) Good: (1) -> No action taken.

Make sure that the infections are deleted. It says no action was taken and MBAM won't do anything unless you check the boxes next to the infections & put then in quarantine or delete them permanently.

Yes, it would definitely be a good idea to run a couple more scans with 1 or 2 other on-demand AV's just to be sure it's all clear. Viruses have a nasty habit of calling for backup & re-infecting the machine if there is an infected file from it remaining.